DET0310: Suspicious Addition to Local or Domain Groups
This detection strategy is about spotting suspicious additions of accounts to local or domain groups, a behavior ATT&CK links to persistence and privilege...
Analyst context for executives and security teams
This detection strategy is about spotting suspicious additions of accounts to local or domain groups, a behavior ATT&CK links to persistence and privilege escalation through Additional Local or Domain Groups (T1098.007). For leaders, the practical issue is not just group membership hygiene: unexpected membership changes can turn a normal account into a durable administrative foothold. This matters for identity governance, incident response scoping, audit evidence, and resilience of Windows, macOS, and Linux environments where the related technique applies.
Executive priority
Treat privileged and sensitive group membership changes as high-value security events that should be monitored, reviewed, and explainable. Executives and risk owners should ask whether the organization can prove who was added to powerful local or domain groups, who approved it, how quickly the SOC would see it, and whether incident responders can reconstruct the change during an investigation. This is especially important for compliance readiness and identity/access management because unexplained group additions can undermine least privilege and persistence controls.
Technical view
The supplied ATT&CK object has no official detection text and no platforms of its own, but it detects T1098.007, which is associated with persistence and privilege escalation across Windows, macOS, and Linux. SOC and detection engineering teams should validate monitoring for local and domain group membership changes, especially additions to administrative, privileged, remote access, service management, or security-sensitive groups. IR teams should be able to correlate the account added, actor or process that made the change, source host, timestamp, authentication context, and whether the change matches an approved request.
Likely telemetry
- Directory service or identity provider group membership change logs
- Local operating system security/audit logs for account and group management
- Endpoint command/process telemetry related to account or group modification utilities
- Administrative activity logs from domain controllers, servers, workstations, and identity management systems
- Change management or access request records used to validate whether the addition was approved
Detection direction
- Prioritize alerting on additions to high-risk local or domain groups rather than all group changes equally.
- Correlate group additions with the initiating account, source system, target account, group sensitivity, and recent authentication activity.
- Tune for legitimate administration, onboarding, break-glass use, automation, and identity governance workflows to reduce false positives.
- Review coverage gaps for non-Windows systems because the related ATT&CK technique includes Windows, macOS, and Linux, while this detection strategy does not provide platform-specific guidance.
- Validate that logs are retained long enough for incident response to determine when persistence may have been established.
Mitigation priorities
- Maintain an inventory of privileged and security-sensitive local and domain groups.
- Require approval and documentation for membership changes to high-risk groups.
- Apply least privilege and periodic access reviews to remove unnecessary group memberships.
- Protect and monitor accounts that can modify group membership.
- Ensure incident response playbooks include rapid validation and rollback of suspicious group additions.
Analyst notes and limits
Because the official detection strategy object does not include a description or detection procedure, this take is derived from the object name and its ATT&CK relationship to T1098.007. The most useful local validation is whether group membership changes are visible, attributable, approved, and reviewable across the organization’s identity and endpoint estate.
No official ATT&CK detection text, tactics, or platforms are provided for DET0310 itself. Platform and tactic context comes only from the related technique T1098.007. Local logging configuration, identity architecture, group naming, and administrative workflows are required to determine actual detection coverage and alert priority.
Suspicious Addition to Local or Domain Groups
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1098.007 | Additional Local or Domain Groups Sub-technique | This object detects Additional Local or Domain Groups. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0e084b369ddc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0310Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.